Keep a Matrix (Synapse) homeserver in sync with Authentik and onboard new users.
Project description
Onbot
Onbot keeps a Matrix (Synapse) homeserver in sync with an Authentik identity provider and gives every new user a friendly welcome into the right rooms.
Authentik is the source of truth. Onbot mirrors it into Matrix: each Authentik group becomes a room, group membership becomes room membership, and roles become power levels. When a new user shows up, they get a guided 1:1 welcome message.
Onbot is built for Matrix 2.0. It assumes a Matrix Authentication Service (MAS) deployment with Authentik as the upstream identity provider.
What Onbot does and does not do
Onbot does not create accounts. MAS provisions a Matrix account the first time a user logs in through Authentik. Onbot's job is projection: turn Authentik groups into rooms, group membership into room membership, attributes into power levels, and drive the offboarding lifecycle when a user is disabled.
Quick start with Docker
The published image is dzdde/onbot on Docker Hub. It runs
as a non-root user and needs one thing from you: a config file.
-
Create a
config.yml(see Minimal config below). -
Run it:
docker run --rm \
-v "$PWD/config.yml:/config/config.yml:ro" \
dzdde/onbot:latest
The image defaults to reading /config/config.yml and running the long-lived onbot run service.
It also ships a built-in HEALTHCHECK.
docker-compose
services:
onbot:
image: dzdde/onbot:latest
restart: unless-stopped
volumes:
- ./config.yml:/config/config.yml:ro
More deployment detail (env-only config, CLI commands, healthcheck) lives in docs/deployment.md.
Minimal config
Configuration is a single YAML file. Copy this, fill in the values, save it as config.yml:
synapse_server:
server_name: company.org # your Matrix domain (the part after the ':')
server_url: https://internal.matrix # how the bot reaches Synapse (an internal URL is fine)
bot_user_id: "@welcome-bot:company.org"
bot_access_token: syt_REPLACE_ME # or an `oauth2:` block instead
authentik_server:
url: https://authentik.company.org/
api_key: REPLACE_ME # an Authentik API token
# Required to enforce offboarding under MAS (omit on non-MAS deployments):
mas_admin:
url: https://auth.company.org # the MAS base URL
client_id: REPLACE_ME # a MAS admin client (in policy.data.admin_clients)
client_secret: REPLACE_ME
sync_authentik_users_with_matrix_rooms:
authentik_username_mapping_attribute: username # MUST agree with MAS's localpart template
Two settings above are easy to get wrong and worth calling out:
authentik_username_mapping_attributemust match the localpart template MAS uses. Onbot computes each user's MXID from this Authentik attribute. If it disagrees with MAS, the computed MXIDs will not match the real accounts and nobody gets added to rooms.mas_adminis required to actually offboard disabled users. The Synapse admin API cannot revoke a MAS-issued session, only MAS can. Without this block, offboarding silently does nothing to live sessions.
Every setting can also be supplied via an environment variable (prefix ONBOT_, nest with __),
for example ONBOT_SYNAPSE_SERVER__BOT_ACCESS_TOKEN=syt_….
Never commit a real config.
config*.ymlis gitignored (onlyconfig.example.ymlis tracked) and the image carries no secrets. Provide config at runtime.
For the full picture (bot credential options, the MAS auth topology, and every field), see the docs below.
Documentation
- docs/configuration.md walks through every config block, the bot credential choices, and how to generate the reference.
- docs/CONFIG_REFERENCE.md lists every field, its type, default,
description, and
ONBOT_*env-var name (generated from the model). - docs/deployment.md covers running with Docker and compose, env-only config, the CLI commands, and the healthcheck.
- docs/architecture.md explains the Matrix client to MAS to Authentik auth topology and links the architecture decision records.
- docs/development.md is the setup, build, and release guide for contributors.
- docs/testing.md describes the unit, contract, and integration suites.
- docs/troubleshooting.md is a symptom to cause table for common issues.
- docs/project/GOALS.md captures project intent and docs/project/BATTLE_PLAN.md the build plan.
License
MIT, see LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file onbot-0.0.1.tar.gz.
File metadata
- Download URL: onbot-0.0.1.tar.gz
- Upload date:
- Size: 90.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f267248da9079efc2c4f7f09c85b15e36897b632ef83824b4ca10a93ae6936ca
|
|
| MD5 |
28d9eba36a1938e6ff1fea24449c5c13
|
|
| BLAKE2b-256 |
400cdd464aa1be335c425613b9cfdb94c15a5bc2d62dcf1334a9ff17cf1c3b96
|
File details
Details for the file onbot-0.0.1-py3-none-any.whl.
File metadata
- Download URL: onbot-0.0.1-py3-none-any.whl
- Upload date:
- Size: 65.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d99476edf6c0037624bc262f98c508c6216b52e3125f6467c51423c17e1477bc
|
|
| MD5 |
580adee881f772d221996a3530e564af
|
|
| BLAKE2b-256 |
88bc47e550a5a9b2b2a35b7d19fa541cadb08da3ec890bb685786ddc31752bc8
|